In recent years, individuals and organizations have become increasingly concerned with protecting their networks and computing resources from malicious attacks. Malicious attacks on network and computing resources often vary widely in their degree of sophistication and/or complexity. For example, rudimentary or unsophisticated attacks may rely on exploits or attacks that are not especially complex, intelligent, or sophisticated. These attacks are also often fleeting or one-off. Advanced Persistent Threats (APTs), in contrast, often utilize relatively intelligent or sophisticated exploits or attacks that persist over an extended period of time.
While rudimentary or unsophisticated attacks may be relatively easy to identify or detect, network administrators often have trouble identifying or detecting APTs since these attacks often appear to be similar to the behavior of legitimate administrators or technically sophisticated users. For example, APTs may use the same or similar network commands and applications that administrators use to manage networks in an attempt to mask their illegitimate traffic and/or behavior, potentially frustrating the efforts of network administrators to distinguish between the same.
Accordingly, the instant disclosure identifies a need for systems and methods capable of more accurately identifying security threats, especially systems and methods capable of more accurately distinguishing between APTs and the innocuous behavior of technically sophisticated users.